/
no-iam-admin-privileges.yaml
93 lines (93 loc) · 2.25 KB
/
no-iam-admin-privileges.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
rules:
- id: no-iam-admin-privileges
pattern-either:
- patterns:
- pattern-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...
]
...
})
...
}
- pattern-not-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...,
{... Effect = "Deny" ...},
...
]
...
})
...
}
- patterns:
- pattern: |
{..., Action = "*", ...}
- pattern: |
{..., Resource = "*", ...}
- metavariable-pattern:
metavariable: $TYPE
pattern-either:
- pattern: |
"aws_iam_role_policy"
- pattern: |
"aws_iam_policy"
- pattern: |
"aws_iam_user_policy"
- pattern: |
"aws_iam_group_policy"
- patterns:
- pattern-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
}
...
}
- pattern-not-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
effect = "Deny"
...
}
...
}
- patterns:
- pattern: |
{..., resources = ["*"], ...}
- pattern: |
{..., actions = ["*"], ...}
message: >-
IAM policies that allow full "*-*" admin privileges violates the principle of least privilege.
This allows an attacker to take full control over all AWS account resources. Instead, give each user
more fine-grained control with only the privileges they need. $TYPE
metadata:
references:
- https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py
category: security
cwe:
- 'CWE-269: Improper Privilege Management'
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
technology:
- terraform
- aws
owasp:
- A04:2021 - Insecure Design
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
languages: [hcl]
severity: WARNING